What you actually need

Three things at the
dev-machine layer.
Built today.

Visibility into prompts and completions, tied to identity, agent, and host. Deterministic enforcement on patterns you can name. Cryptographic evidence — exportable to SIEM, SOC 2, and FedRAMP — that the published policy is the one that decided each request.

A clean AI-egress control is three properties at once.

A vendor who sells you one of the three is selling you a piece of an answer.

01 · VISIBILITY

Prompt + completion + identity

You need to see the request body, who sent it, which agent sent it, which host it left, and which policy version it was decided under.

02 · ENFORCEMENT

Deterministic on patterns you can name

A regulated buyer needs a layer that blocks by policy alone — no model in the path, no opinion. The judge is additive; it is not the floor.

03 · EVIDENCE

Cryptographic, exportable, offline-verifiable

An auditor needs to prove, after the fact, which signed policy decided each request — without re-running Tether or trusting Tether to vouch for itself.

Eight capabilities,
each citation-grade.

Each row is a BUILT or PARTIAL capability from the read-only review. PARTIAL is scoped honestly — what's in production today, what's reserved for the managed VSCodium build.

Loopback-only by default

Connect proxy on 127.0.0.1:11435 — does not require system-wide rerouting.

proxy/main.go:98-103
What it does today
Binds to 127.0.0.1 by default. Operators can widen via bind_host or TETHER_PROXY_BIND_HOST, but the proxy emits a named startup warning. No root CA is installed on the developer machine. CONNECT tunnels are byte-copied bidirectionally — Tether classifies the destination host and does not decrypt the tunnel.
Why it matters
Developer-aware orgs in 2026 push back hard on corporate root CAs because the same CA that decrypts a Cursor call decrypts the developer's banking session. Tether's loopback posture gives your CISO a real differentiator vs. CASB/DLP stacks that require CA installation — without overclaiming. The trade is that an agent that does not honor HTTP_PROXY is not governed.

Deterministic blocklist floor (Tier 0)

Compiled regex over the embedded floor plus operator-promoted patterns.

blocklist.go:138 proxy_core.go:114-117
What it does today
Returns HTTP 403 with reason text on match. The forward path is not reached. The embedded floor is immutable; operators add patterns via signed policy. False-positive remediation lives in the AllowlistPatterns field — a 10-second turnaround once published.
Why it matters
For known credential formats (AWS access keys, GitHub tokens, internal customer-ID regexes you author in week one), Tier 0 is the strong guarantee — no model, no network, no opinion. This is the layer a SOC 2 CC8 auditor can attest against because the decision is deterministic and reproducible offline.

Ed25519-signed policy distribution

Bundles signed in Overwatch, verified by the proxy, ACKed by hostname.

policy-signing.js:122-150 policy_signing.go:171-203
What it does today
The control plane signs {schemaVersion, version, controls, publishedAt} at publish. Each proxy verifies before applying — TOFU-pinned per-tenant public key, fail-closed on mismatch. Monotonic version blocks replay. Policy poll interval is 10 seconds; ACKs include {hostname, version, appliedAt} so Overwatch shows real fleet-adoption state.
Why it matters
Most enterprise policy-distribution mechanisms take minutes to hours to propagate; a 10-second bound matters during incident response. Signed bundles map to SOC 2 CC8 change-management evidence — your auditor decides what they accept. The chain is: Overwatch signs, the proxy verifies, the response stamps the version, the auditor re-verifies offline.

Hardware-adaptive local model judge

Four hardware tiers: metal / cuda / cpu-modern / cpu-low. Customer-supplied model.

judge_selector.go:76-93
What it does today
The proxy probes hardware on startup and selects from a catalog of judge profiles. Two runtimes are supported: local Ollama (per-vendor model overrides) and cloud OpenAI-compatible. Async by default at a 3% sample rate, hard-capped at 10%. Mandatory escalations on novel-agent, novel-destination, and large-body. Sync-blocking is opt-in via cloud_judge_can_block with a default 800 ms timeout.
Why it matters
The judge is customer-supplied — model spend goes to the customer's vendor, not Tether. This keeps the per-seat economics honest. On-prem teams run local Ollama and stay within their boundary; air-gap teams get a coherent path. The sync-block plus fail-closed-on-timeout posture closes the structural exfiltration window a network adversary would otherwise exploit by delaying judge calls.

Three-tier judge authority

Tier 0 always blocks · Tier 1 sync fail-closed (opt-in) · Tier 2 advisory cannot block.

docs/JUDGE_AUTHORITY.md
What it does today
The proxy compiles tier authority into the request path as distinct branches — not a single configurable knob. Tier 0 cannot be opted out of at runtime. Tier 1 is configurable; sync-block opt-in at deploy time. When enabled, blocks in-band and fails closed on timeout. Tier 2's goroutine has no handle on the already-sent response — advisory is a code invariant, not a policy choice.
Why it matters
"The judge said ALLOWED" and "the request was allowed" are two different statements that depend on the tier in effect. Tether labels which one applies at any moment, in the event record and in the response header. Full breakdown on /how-it-works · Judge authority.

SIEM adapters — Splunk HEC · Sentinel · syslog

Splunk HEC, Microsoft Sentinel via HMAC-signed Log Analytics, syslog RFC 5424 UDP.

siem-adapters.js:36
What it does today
Every event fans out to all registered SIEM adapters in parallel. Splunk HEC, Sentinel via the SharedKey HMAC-SHA256 Log Analytics path, syslog RFC 5424 over UDP via Node's dgram. Shared 5-attempt exponential-backoff retry. HMAC-SHA256 outbound webhooks ride the same fan-out infrastructure.
Why it matters
Your platform team writes zero code to put Tether events in the SIEM you already pay for. A platform engineer who knows Splunk or Sentinel can wire the adapter in an afternoon. Volume to plan against: roughly 10K events/day, ~10 MB/day at 50 seats. Do your own license math.

SCIM directory sync via Jackson

HMAC-signed webhook · role-from-groups mapping · full audit trail.

jackson.js:205-291
What it does today
BoxyHQ Jackson handles SAML/OIDC and directory-sync. The SCIM webhook is HMAC-SHA256-signed. user.created / user.updated / user.deleted map to roles via group name (Overwatch Admins / Overwatch Operators / default viewer; group names are env-configurable). Every provision and deprovision lands in the audit trail.
Why it matters
Operator seats are provisioned from the customer's IdP — no manual user-management in Tether. A deprovision in Okta or Entra cuts the operator's access within the Jackson sync window. Maps to CC6 logical-access controls — your auditor evaluates the evidence.

Device posture export — four formats

Tether-native JSON · Okta Device Trust · Microsoft Graph managedDevice · CSV.

posture-export.js:217-228
What it does today
GET /api/v1/devices/posture/export in tether, okta, entra, or csv formats, with ?compliantOnly= and ?since= filters. The Okta envelope plugs into Device Trust attestation. The Entra shape mirrors GET /deviceManagement/managedDevices with the extensions.aiSecurityPosture namespace.
Why it matters
Your IdP's conditional-access policy reads Tether posture without a custom converter. A non-compliant developer machine — proxy off, daemon stale — drops out of the device-trust set automatically. The Okta and Entra teams already understand the formats; the platform team does not need to translate.

Reproducible enforcement attestation

X-Tether-Policy-Version on every response · auditors verify offline.

docs/ATTESTATION.md
What it does today
Every blocked 403 and every forwarded response carries X-Tether-Policy-Version. Every event and judge review stamps the active policyVersion. GET /api/v1/policy/versions/<version> returns the signed bundle. An auditor runs Ed25519 verification offline (openssl pkeyutl -verify) against the controls in force.
Why it matters
For FedRAMP and CMMC Level 2, per-request provenance is what turns a policy from "claimed" into "evidenced" — your auditor pulls the bundle, runs Ed25519 offline, and reads the controls in force. The honest caveat: in-memory events expire on Overwatch restart unless your SIEM adapter forwards them — that's why the SIEM adapters are part of the same release.

Clipboard, downloads, external links
— shipping in the managed VSCodium build.

The workspace daemon is in production and produces the right decision plus a WORKSPACE_COACHED audit on every fire. The IDE-side enforcement seam lives in the managed VSCodium artifact, which post-dates the Connect tier.

What's available in pilot today
  • · Daemon decisions and audit. Clipboard / downloads / external links / screen capture / coach mode all return correct decisions and emit events.
  • · VS Code extension. Shipped. Tier-2 env injection (opt-in), SCIM identity sync, agent inventory.
  • · MCP tether_may_i_* tools. Voluntary surface for cooperative agents — needs_approval rides the JIT queue.
Preview / 90-day roadmap
  • · Managed VSCodium artifact. Signed installer for macOS / Windows / Linux. 4-8 engineering weeks of signing infrastructure away.
  • · Cursor and JetBrains. VS Code shipped. Cursor and JetBrains extensions on the 90-day roadmap.
  • · Per-request attestation hardening. Tamper-evident per-version bundle retention. Today: append-only policy-audit.jsonl. SQLite-backed durable stores post-GA.

Just-in-time access requests.
From the developer's IDE to the operator's queue.

JIT fires when a workspace axis (clipboard, downloads, external links, screen capture) is set to request mode. The daemon pauses the action and posts to Overwatch; the operator decides.

Trigger. The workspace daemon's policy axis (e.g., clipboard.mode) is set to request. The action does not run until a decision is returned.

Operator decides. Request lands in /access-requests in the Overwatch console. Default SLA is a 5-minute TTL per PILOT.md; tunable per axis.

Timeout. Behavior on expiry is configurable per axis — block, allow, or fall through to coach (advisory). The daemon emits an audit event either way.

MCP path. Cooperative agents that speak the MCP tether_may_i_* surface can escalate the same way — the needs_approval result rides the JIT queue and the operator UI is the same.

workspace/main.go:349-402   overwatch/api/server.js

See the operator-decides beat on the demo page for the rendered console view.

"What about Cursor?"

Coverage depends on whether the tool honors a base-URL override. Three tiers; honest about each.

Per-tool AI agent coverage: architecture, best Tether tier today, what Tether sees, and the honest gap.
Tool Architecture Best tier today What we see Honest gap
Claude CodeAnthropic CLI, Node.jsTier B (configured-upstream)Full prompt + response stream, tool-use blocks, file attachmentsMCP servers need their own coverage
OpenAI Codex CLIOpenAI CLITier BFull prompt, response, tool callsNon-OpenAI provider configs need local prefix
AiderOpen-source Python CLITier BFull prompt, response, every file attached, every diff appliedNone at Tier B
ZedNative Rust editorTier BFull prompt, response, file contextCustom provider added after install drops to Tier A until re-sync
VS Code + Continue / CopilotVS Code extensionTier A on Copilot · Tier B on ContinueCopilot: vendor + identity. Continue: full contentCopilot's prompt path is opaque — Tier A is the honest claim
CursorClosed-source VS Code forkTier B on BYOK · Tier A on default flowBYOK: full content. Default: vendor + identityDefault flow on unmanaged devices: prompt content not visible
Browser-only (ChatGPT.com)Web appNetwork destination via your existing CASBNot in Tether's scope. Browser extension on roadmap; not shipping today

Full per-tool detail lives in the current AI-tool coverage matrix on master. Bring the two tools your developers actually use; we will walk you through what Tether sees on each.

Bring two tools.
We'll show you both tiers.

Bring the AI tool your developers use most and one you're considering. We'll show you what Tether sees on each — and what it doesn't.

Book a 30-min walkthrough ↗